Cloud edge: Lookup an IP to find the cloud provider and other details

Cloud edge

Lookup an IP to find the cloud provider and other details based on the provider’s published JSON data

Cloud edge is a recon tool focused on exploring cloud service providers. It can be used for cloud attribution and forensics, pentesting, bug bounty, red teaming, or general R&D of cloud providers. Edge automatically loads Cloud Service Provider (CSP) published IP address ranges (AWS, Azure, GCP) JSON files and performs a prefix lookup based on the input IP address. Can be used to integrate with other recon tooling. In a black box network pentest, edge quickly discovers which cloud CSP the customer is hosted with, or just double-verifying the scope for rules of engagement. Each of the big three CSPs (Amazon, Azure, GCP) publishes a list of all of their IP prefixes and/or netblocks. In some cases, this also includes the region/data center and service name. This can be useful for recon and this tool can quickly parse and do a lookup based on IP prefix.

JSON files from cloud providers

When the tool runs, it automatically tries to download and load the three cloud provider IP address ranges JSON files to the working directory. Here is how it works:

By default it will attempt to download the three files from the URLs below unless you disable the automated download with (-nd) flag.

• ip-ranges.json (AWS) –> https://ip-ranges.amazonaws.com/ip-ranges.json
• azure.json (Azure) –> (URL that periodically needs to be updated)
• goog.json (GCP) –> https://www.gstatic.com/ipranges/goog.json

These three files are already included in this github repository, so downloading them will update any necessary changes. Once downloaded, you can run the tool with -nd to avoid superfluous downloads.

If found in the working directory, all IP prefixes are loaded into memory. The cloud provider IP ranges json files always attempt to load from the working directory. Enabling the actual lookup is done with the -prefix flag.

When -dns mode is enabled, DNS lookups for both A and CNAME records are buffered without display until all DNS queries are finished. After the queries are finished, the output is displayed.

One idea is to initially run the tool to download all three files, making sure they are up-to-date. Then subsequent runs with -nd to improve performance and not download every run.

Install & Use

Copyright (c) 2022 iknowjason